Thursday, August 28, 2014

Comments on CSE commissioner's report III

Some final comments on aspects of the CSE commissioner's 2013-14 report, which was released by the Office of the CSE Commissioner (OCSEC) on August 20th (initial comments here and here):

More important than ever?

The signals intelligence efforts of the western allies during the Second World War made a very important contribution to the conduct of the war, and the post-war continuation of those efforts played a vitally important role during the Cold War. We can be pretty sure that the Canadian government considered its participation in those efforts and its access to their output during those times to be extremely valuable to Canada.

That dramatic history notwithstanding, last year's annual report by the CSE commissioner told us that the Five Eyes "alliance may be more valuable now than at any other time, in the context of increasingly complex technological challenges."

The declassified version of one of the commissioner's recent reports to the minister of national defence indicated that this assessment came from CSEC itself: "According to CSEC, the Five-Eyes alliance is more valuable now than at any other time in history, given the increasingly complex technological challenges faced by the partners."

In this year's annual report, the commissioner elaborated on that statement, explaining that "This cooperative alliance may be more valuable to Canada now than at any other time, in the context of increasingly complex technological challenges added to dynamic international affairs and threat environments."

Some of us may tend to doubt that the SIGINT alliance is more important now than at any time in the past. But if budgets can be taken as a measure of the importance ascribed to an activity by the government, then it is pretty clear that this government agrees with the CSEC/OCSEC assessment.

Bright new idea: Let the guy in charge know what's going on

One of the key issues with respect to the possible misuse of Five Eyes agency powers has always been the degree to which the various agencies might be used to spy on each other's domestic communications, thus evading their own laws against domestic spying. Such deliberate evasion, we are always assured, does not take place. But it is certainly true that the Five Eyes agencies do end up sometimes collecting communications involving or concerning persons in other Five Eyes countries and that they do sometimes share that information with the agency of the country concerned. The question of how often and how systematically this occurs is thus of rather considerable importance. (See Wayne Easter's acknowledgement of the practice here.)

You might think, therefore, that the minister responsible to parliament for the agency—the guy who is always assuring us that the privacy of Canadians is entirely safe in his hands—might have some idea of the extent to which this Second Party end-run occurs. You might even expect him to insist on knowing.

But no.

This year's report discusses the question of information about Canadians received from CSEC's Second Party partners (and also the question of information shared by CSEC with those partners), and one of the things it reveals is that, as of the date the commissioner's review was conducted, the minister had never received any reporting from CSEC on the number of Canadian communications or the amount of information about Canadians that CSEC received from the Second Parties: "CSEC has not reported to the Minister of National Defence details, for example, regarding communications involving Canadians or information about Canadians that have been shared by its second party partners."

Fortunately, that lapse is set to change.

The commissioner's report notes that, "to support the Minister of National Defence in his accountability for CSEC and as an additional measure to protect the privacy of Canadians, [previous] Commissioner Décary recommended that CSEC report such details to the Minister on an annual basis." According to the commissioner, the minister has accepted that recommendation, and another one calling for a ministerial directive to lay out the parameters of information sharing with the Second Parties and related privacy protections.

So score one for OCSEC.

Sharing, sharing, sharing

Also on the topic of sharing, the report notes that

Commissioner Décary was unable to assess the extent to which CSEC’s second party partners follow [existing] agreements and protect the private communications and information about Canadians in what CSEC shares with the partners. CSEC does not as a matter of general practice seek evidence to demonstrate that these principles are in fact being followed.

While CSEC uses indicators that it believes provide sufficient assurance that the Second Parties are honouring their arrangements, it did not initially demonstrate knowledge or provide evidence of how its second party partners treat information relating to Canadians. During the conduct of this review, CSEC declined to provide the Commissioner’s office with a description of or a copy of relevant extracts of second party policies on the handling of this information. CSEC also declined at that time to identify for the Commissioner’s office any specific differences — large or small — between respective partners’ laws, policies and practices and how this may affect the partners’ protection of the privacy of Canadians. CSEC suggested at that time that review of second party authorities and activities pertain to the Second Parties and not to the lawfulness of CSEC activities and these questions were therefore outside of the Commissioner’s mandate.

This is not the first time that CSEC has told OCSEC what it can and cannot look at, which I find highly disturbing. I also find it a little strange that OCSEC didn't simply order CSEC to hand the information over. (We are constantly assured, and indeed the National Defence Act affirms, that the CSE commissioner has "all the powers of a commissioner under Part II of the Inquiries Act.")

Be that as it may, CSEC Chief John Forster did eventually relent on the question:

Subsequent to Commissioner Décary sending his classified report to the Minister of National Defence, the new Chief of CSEC, Mr. John Forster, re-examined CSEC’s initial position, sought permission from second party partners, and provided the Commissioner’s office with detailed documentation relating to respective second party policies and procedures on the treatment of information about Canadians. This is one example of Chief Forster’s positive leadership to promote increased transparency of CSEC activities and to support review by my office.

Is it churlish to note that it only took Mr. Forster a year and a half or so after becoming the new Chief to get around to demonstrating that "positive leadership"?

Give the man a gold star.

Still, score another one for OCSEC.

The system works!

Reading this year's report, it is clear that OCSEC is proceeding from triumph to triumph. Fair enough.

I think the commissioner is straining a bit, however, when he declares that the Mosley mess is an example of the system working:

Some have suggested that this matter points to a failure of the review bodies to help control the intelligence agencies. On the contrary, these events demonstrate how review works, as Justice Mosley was alerted to this following Commissioner Décary’s recommendations. It also demonstrates how review bodies — in this case the Commissioner’s office and SIRC — can cooperate and share information within existing legislative mandates.

OK. OCSEC recommends that CSEC advise CSIS to inform Justice Mosley that CSIS and CSEC have been eliciting the assistance of Second Parties to help monitor Canadians abroad, something they deliberately chose not to tell Mosley when CSIS applied for the warrants to do the monitoring in the first place. CSEC does as the commissioner recommends, and CSIS (as far as we can tell) then ignores the commissioner's suggestion entirely. Later on, Justice Mosley happens to read OCSEC's public report and decides to investigate on his own. Hilarity ensues.

That's the system working?

I dunno. Maybe OCSEC sent Mosley a copy of the 2012-13 annual report and said you might want to read pages 21 to 25. In fact, you definitely want to read pages 21 to 25.

But it still seems like a pretty ad hoc way to get results.

For all that CSE commissioners have been gradually increasing the proportion of intelligible information in their traditionally obscurantist annual reports (and to that I say BZ!), it seems to me that if the privacy of Canadians depends on key people extracting actionable intelligence from the Delphic pronouncements typically found in those documents, we're all in deep trouble.

Cooperation with review agencies in 2nd parties

The commissioner reports that he plans to look into the possibility of working cooperatively with the review mechanisms that exist in other Five Eyes countries:

In the coming months, I will explore options to cooperate with review bodies of second party countries to examine information sharing activities among respective intelligence agencies and to verify the application of respective policies. A number of Canadian and international academics have referred to an accountability gap concerning an absence of international cooperation among review bodies. These researchers suggest that growing international intelligence cooperation should be matched by growing international cooperation between review bodies. I will examine opportunities for cooperation.

When the media suggested that CSEC had illegally tracked the movements and on-line activities of persons at a Canadian airport, we were briefed by CSEC. We questioned the CSEC employees involved and examined results of the activity. Based on our investigation and on our accumulated knowledge, I concluded that this CSEC activity did not involve “mass surveillance” or tracking of Canadians or persons in Canada; no CSEC activity was directed at Canadians or persons in Canada.

And that's about as detailed as his explanation gets.

Here are the comments made by some obscure law professor by the name of Craig Forcese (who happens to specialize in national security law) back in January.

We did eventually learn the basis of CSEC's position that no "tracking" took place. Perhaps unsurprisingly, it all comes down to the definition of tracking (see mid-way through this post). Apparently you can't be "tracked", even if they follow you around, if they haven't bothered to find out exactly who you are.

As for "directed at", it appears that this term refers only to activities designed to collect information about specific individuals. Thus, according to CSEC and the commissioner, CSEC can acquire and analyze metadata that pertains almost exclusively to Canadians or persons in Canada (as demonstrated here) without that activity being considered "directed at" Canadians or persons in Canada.

Thus, we are told, the kind of thing CSEC did in the "airport wi-fi" experiment isn't a problem.

Others are less sanguine about the legalities of CSEC metadata collection and use (including that Forcese guy again).

The Supreme Court's R. v. Spencer judgment in June makes CSEC's, and the commissioner's, position on metadata even more questionable (yup, Forcese again), but to be fair to the commissioner, that ruling came out too late to be considered in this report.

Will it be discussed in next year's report? I can't say I'm confident it will be, but the commissioner did promise to keep an eye on the topic:

My review has identified some important questions, which I will continue to examine in the coming year, including: what are the vulnerabilities and risks to the privacy of Canadians imposed by new technologies that CSEC uses to collect and analyze metadata? How and to what extent can privacy protections be built directly into the technologies and processes used by CSEC for metadata collection and analysis? I will report on the results in my next public annual report.

What about the gazebo?

The question of NSA (and CSEC) spying on the G8/G20 summits, and the legality of such activities, also came up during the last year.

My own view is that spying did take place, that CSIS and CSEC took the lead, and that it was entirely legal.

But others had different views. The commissioner's report says nothing on the topic.